unshadow

Combine the /etc/shadow and /etc/passwd of the current system

$ sudo unshadow /etc/passwd /etc/shadow

$ sudo unshadow [path/to/passwd] [path/to/shadow]

unshadow [passwd_file [shadow_file]]

unshadow is a command-line utility from the shadow-utils package that merges the contents of the /etc/passwd file with the sensitive password hash information from the /etc/shadow file. Its primary purpose is to create a single output stream, typically directed to standard output, which contains all the necessary user account details and their corresponding encrypted password hashes.

This combined format is particularly useful for password auditing and cracking tools, such as John the Ripper, as it provides all required data in a consolidated manner. The command reads the passwd file first, then correlates entries with the shadow file based on username, outputting lines that resemble enhanced passwd entries, but with the 'x' placeholder replaced by the actual encrypted password from shadow, along with password aging information. Since /etc/shadow contains highly sensitive data, unshadow typically requires root privileges to read it.

Security Risk: The output of unshadow contains sensitive password hashes. This output should be handled with extreme care and never stored in insecure locations or transmitted unencrypted.
Permissions: To read the /etc/shadow file, unshadow must be executed with root privileges or by a user with appropriate capabilities.
Purpose-Specific: The utility is designed primarily to prepare data for password auditing/cracking tools and is not intended for general user management or display.
No Modification: unshadow only reads input files and prints to standard output; it does not modify any system files.

While unshadow doesn't have traditional command-line options (like -h or -v), it accepts up to two positional arguments: passwd_file and shadow_file. If these arguments are omitted, unshadow defaults to reading from /etc/passwd and /etc/shadow respectively. This allows users to test the command with custom or copied password and shadow files without affecting the live system files.

The output of unshadow is printed to standard output (STDOUT). Each line corresponds to a user entry, formatted similarly to /etc/passwd but with the encrypted password hash (and often password aging information) directly embedded from /etc/shadow. This makes the output immediately usable by tools like John the Ripper, which can parse this specific format to begin password cracking attempts. An example output line might look like:
username:encrypted_hash:UID:GID:GECOS:home_directory:shell

The unshadow command is part of the shadow-utils package, which provides a set of tools for managing user accounts and password security on Linux and Unix-like systems. Its development emerged from the need to secure user password hashes by separating them from the publicly readable /etc/passwd file into the restricted /etc/shadow file. unshadow was created as a utility to bridge this separation specifically for scenarios requiring the combined data, such as security auditing or password recovery, allowing tools to work with a unified data stream while maintaining the underlying system security.

passwd(1), shadow(5), group(5), chage(1), login.defs(5), john(1)